Yotpo Privacy Guide

Everything you need to know about privacy, data processing, and compliance at Yotpo.
Data Processing
Global Data Compliance
Chapter 01

Our Worldview on Privacy

As Yotpo’s Data Protection Officer, privacy is my business. I am a member of the IAPP, and trained with PwC and Deloitte in the most cutting-edge privacy practices and standards. Privacy by Design is more than just a phrase to me: it’s the guiding principle against which all of our decisions — from research and development, to third-party integrations and beyond — are weighed.

At Yotpo, we’ve built a secure digital framework that warrants your trust. As mentioned above, we use Privacy by Design, embedding secure practices into our technology and policies. Within this framework, your customer data is treated intelligently so that you can achieve compliance while growing your business reach.

Let’s go through the most important parts of Yotpo’s data privacy so you can learn exactly how we protect your customers’ personal data. For any specific questions, please reach out to dpo@yotpo.com

– Arik Metzer, Data Protection Officer


Privacy Snapshot 2020

This year, we are working with:

  • Ernst and Young to perform our SOC 2 Type 2 report
  • Bugcrowd to find potential weaknesses in our system
  • OneTrust for data mapping, asset discovery, and vendor risk assessment
Chapter 02
Data Processing

Breaking it down

Yotpo’s Data Processing Agreement details our comprehensive data policy. Because it can be a bit dry, we’ll break down the most important parts.

What information do we collect from your customers?

  • Name: Enables us to personalize our communication with your customers and give your site reviews a partially anonymized version of a customer’s name (Arik M)
  • Email address: Enables us to communicate with your customers on your behalf
  • Phone number: Enables us to contact them via a text message, a feature we’ll be implementing in the future
  • IP address: Provides customer location information so that you can have better analytics about where reviews are originating
  • Shipping address: Allows us to monitor the use of referral links as part of our rewards and referral program

In compliance with the GDPR’s principle of data minimization, we only collect, store, and process data that is absolutely necessary for carrying out the purpose for which the data is processed.


Where does this information go?

As soon as the data is submitted to Yotpo, it’s protected by secure data encryption protocols. This encryption occurs throughout data transmissions, including its transmission from your servers and your customers’ devices.

If you or your customers are located in the EU, the data transfer is protected by Yotpo’s Privacy Shield Certification. Administered by the U.S. Department of Commerce and the European Commission, this certification addresses our adherence to privacy and security standards and practices.

Our data center is located in northern Virginia in the United States and is hosted with Amazon Web Services (AWS). While it’s hosted, all data is encrypted by AWS/KMS best encryption method. We also have a comprehensive Disaster Recovery Plan (DRP).


Who do we share data with?

As part of operating procedure, Yotpo may share personal information about end users with some or all of the following Yotpo partners, depending upon which features you enable:

  • Amazon Web Services (AWS): Hosts the content that Yotpo processes for customers
  • SendGrid: Sends emails to your customers on your behalf
  • Google: Displays customer reviews in your Google Seller Ratings and/or Google Shopping Ads. Google only receives your reviewers’ first name and last initial
  • Segment: Keeps you updated about your end users’ submitted content and personal information, providing you with insights about your customers
  • Customer.io: Keeps you updated about your end users’ submitted content and personal information via email
  • Kaltura: Enables you to upload your customers’ videos onto your site
  • Looker: Provides you with advanced data analytics and business metrics dashboards

Yotpo employees are only able to access your customers’ personal data when absolutely necessary (i.e. to resolve a support ticket). Each request for access must be approved by management on a case-by-case basis.

Chapter 03
Global Data Compliance

GDPR, CCPA, LGPD and more

While privacy regulations and agreements differ by country, Yotpo looks at the issue from a holistic, global standpoint.

If you operate internationally, we want to make sure you’ll be compliant wherever your business operates. That’s why, instead of focusing only on GDPR, CCPA, LGPD or any other local compliance, our privacy policy is designed to continuously adapt to new standards globally.

As countries develop and modify guidelines, your business could face new challenges with data compliance. With Yotpo’s privacy practices, you can rest assured that you’ll have the adaptability to meet any new regulations that may develop in world regions.

For more details on specific agreements, see:

*A quick word on COPRA (Consumer Online Privacy Rights Act): this piece of federal privacy legislation is expected to become a law in the United States sometime this year. Stay tuned for our comprehensive guide to COPRA, coming out soon. 

Join The World's
Fastest-Growing Brands

Interested in Yotpo?
Schedule a call with one of our marketing consultants to learn more.
Thank you!
We'll be in touch in no time! In the meantime, take a look at what our customers are saying about Yotpo.
Yotpo Success Stories >
Yotpo Customers
Trusted by the worlds
fastest-growing brands
Yotpo Customers